/g/ - Technology

>>58723
(replace all instances of '\\' with '\'; 8kun's code blocks treated '\' as escapes)

You will also most likely need the following Powershell script in the TemplateVM, set in taskschd.msc to execute every 60 seconds from startup, in order to ensure your AppVMs based on the template configure proper network settings:

$newipAddress = (c:\\windows\\system32\\qubesdb-cmd.exe -c read /qubes-ip).Trim()
$newgateway = (c:\\windows\\system32\\qubesdb-cmd.exe -c read /qubes-gateway).Trim()
$newdns1 = (c:\\windows\\system32\\qubesdb-cmd.exe -c read /qubes-primary-dns).Trim()
$newdns2 = (c:\\windows\\system32\\qubesdb-cmd.exe -c read /qubes-secondary-dns).Trim()
$newdnsServers = @($newdns1, $newdns2)
$macAddress = (c:\\windows\\system32\\qubesdb-cmd.exe -c read /qubes-mac).Trim()
$macAddressDash = $macAddress.Replace(":", "-")
# Check if an adapter with the specified MAC address exists
$adapter = Get-WmiObject -Class Win32_NetworkAdapter | Where-Object { $_.MACAddress -eq $macAddress }
$config = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.MACAddress -eq $macAddress }
Write-Host "Check for adapter."
if ($adapter) {
    # Get current IP configuration
    $currentipAddresses = (Get-NetIPAddress -InterfaceIndex $adapter.InterfaceIndex).IPAddress
    # Get current gateway configuration
    $currentgateways = $config.DefaultIPGateway
    # Get current DNS configuration
    $currentdnsServers = (Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex).ServerAddresses
    if ($newipAddress -ne $currentipAddresses -or $newgateway -ne $currentgateways) {
        Write-Host "Address mismatch found."
        Disable-NetAdapterBinding -Name $adapter.NetConnectionID -ComponentID ms_tcpip6
        Set-NetIPInterface -InterfaceIndex $adapter.InterfaceIndex -Dhcp Disabled
        # Remove existing IP addresses
        foreach ($ip in $currentipAddresses) {
            Remove-NetIPAddress -InterfaceIndex $adapter.InterfaceIndex -IPAddress $ip -Confirm:$false
        }
        # Set the IP address and subnet mask using WMI methods
        $config.EnableStatic($newipAddress, "255.255.255.0")
        # Set the default gateway using WMI methods
        $config.SetGateways($newgateway)
    }
    Write-Host "Setting DNS servers."
    # Set the DNS servers using WMI methods
    $config.SetDNSServerSearchOrder($newdnsServers)
}
# Exit cleanly
Write-Host "Script execution completed."

Ultimately, the idea with this whole setup above is to ensure Windows has no network access by default when it comes up in an AppVM that does have network, because Windows Firewall is fascistly blocking everything.  Any internet-using application you install into the TemplateVM must also have a corresponding default-disabled rule added in gpedit.msc that would give it outbound access to the internet, and when you start an AppVM you need to launch gpedit.msc, navigate to the outbound Firewall rules, and specifically enable DNS (line 1 in my rules list above) and whatever application rules you intend to immediately use.  The only internet connected application I use is TradeStation, otherwise I have a second Windows TemplateVM I use for applications (CS6, Maya, SolidWorks, Maxwell Render, Wolfram Mathematica, and more) that sees no internet whatsoever, even from the Qubes OS netvm configuration perspective.

Follow standard Qubes guidelines for TemplateVMs, in DO NOT HAVE THEM CONNECTED TO THE INTERNET; there is one exception: the rare times you want to run Windows Updates.  You will connect the TemplateVM using qvm-prefs TEMPLATENAME netvm FIREWALLNAME, then enable the DNS and SVCHOST rules, then run your updates, then disable the rules (do not forget this, or your AppVMs come up with those rules enabled), and then do qvm-prefs TEMPLATENAME netvm none to disconnect the TemplateVM.  The only telemetry the update system could give is the state of the TemplateVM (installed applications, settings, etc), but *not* anything in your AppVMs unless you fucked up on the firewall settings (or Windows one day just disregards its own firewall).  I have an idea for using a separate clean TemplateVM that would run WSUS configured to keep its data files on Q:, so that a combination of AppVM+disposable_template use (to get updates) and DispVM use (to apply updates to other Windows TemplateVMs, in a ratchet-way that would prevent any possible downstream telemetry being exfiltrated through WSUS, but is beyond the scope of this post.

Sorry I took forever to begin posting instructions for building a similar Qubes system to mine.  I wanted to get the Windows TemplateVM post out of the way here first so the Windows-reliant can migrate away from native Windows and onto a safer environment.

(Above are my Qubes OS posts as made at >>>8kun/pol/13652695)

>>58723
>Anyone needing a Windows TemplateVM is implored to choose Windows Server Evaluation, which you will then convert to full Da...
I understand my outline is very terse.  Feel free to copy & paste into your LLM of choice to explain things which don't make sense to you (use Tor browser, or Mullvad Browser on your choice of VPN, if you want to try to hide your Qubes OS interest from the cloud LLM vendors).